It is becoming an all-too-familiar script. In November, malware intruded point-of-sale systems in over 50 Starwood hotels in North America. The malware, according to the company, "was designed to collect certain payment card information, including card-holder name, payment card number, security code and expiration date". Earlier this year, Ashley Madison, a website that helps people have extramarital affairs, was hacked. Sony Pictures, too, went through a nightmare last year after malware from a group called 'Guardians of Peace' stole its data and unreleased films.
These incidents highlight both the rise in cyber crime and the reactive approach of enterprises. Starwood, for instance, said that "promptly after discovering the issue, we engaged third-party forensic experts to conduct an extensive investigation". This, despite warnings from a number of online security software companies. Symantec, for instance, says that globally, five out of every six large companies were targeted with spear-phishing attacks in 2014, a 40 per cent jump over the previous year. These attacks are now likely to move from workstations to wearables and devices connected to the Internet of Things (IoT).
"While there has not been a surge in IoT and wearable attacks yet, by 2020 we may see these systems reach substantial enough penetration levels to attract attackers," says a report from security software vendor McAfee. It could be a disaster for companies in many sectors, including manufacturing - imagine what could happen if a connected car gets hacked!
Data breaches at these large enterprises underscore what Sergey Novikov, an executive from Kaspersky Lab's research and analysis team, calls a "philosophical point" - there is no 100 per cent protection against cyber crime. At best, one can minimise the impact, as cyber criminals will find a way around any defence. This, after all, is their bread and butter. They are one step ahead of security officers.
There are reasons why cyber criminals have an upper hand. Online security is not a part of the culture of many organisations - it is, for instance, rarely discussed in boardrooms. Forget CXOs, even tech professionals, trusted with securing the company's infrastructure, can make mistakes. Often, they forget to install software updates. At times, the updates may be incompatible with the old hardware, and the CFO may not sanction money to buy new hardware. All this is easy fodder for criminals who are typically hardcore programming geeks with access to research. Also, even if you are not a brilliant tech guy, several tools are available. In a report, McAfee says, "Off-the-shelf tool kits for malware, affiliate programmes for ransomware, fill-in-the-blank attack-creation programmes have been showing up in the dark web to support faster distribution of attacks. It now takes very little skill to be a cyber criminal."
What is even scarier is that in cases where cyber crime is state-sponsored, the perpetrators have access to unlimited resources. In the Sony Pictures hack case, for instance, the United States had pointed a finger at North Korea.
So, what can one do to minimise the damage, which need not always be in terms of money? The reputation of a firm as well as employee productivity may be hit. In cases such as Ashley Madison, it could be a personal setback for users.
The first step should be to follow the rule book - making sure that the maintenance engineer doesn't forget to install software updates. A medium to long-term approach would be to train everyone in the organisation on best practices. This could start with a simple presentation the day the employee joins, but must get more nuanced over time, says Saurabh Agarwal, Founder and Managing Director, SkillCube, a company engaged by companies to train employees on cyber security. This means that the training for a finance executive who has little knowledge about technology has to be different from that for an engineer.
At any rate, proactive cyber crime prevention is far better than reactive action and statements like the one issued by Starwood.